How to enable users audit ( every command logging) in RedHat

Add this line to your pam config responsible for logins (its system-auth on redhat based distros)

session    required enable=*

To find out what was done, you can use.

ausearch -ts <some_timestamp> -m tty -i

This produces an output like this:

 type=TTY msg=audit(11/30/2011 15:38:39.178:12763684) : tty pid=32377 uid=root
 auid=matthew major=136 minor=2 comm=bash data=<up>,<ret>

The only downside to this is is can be a little bit difficult to read, but it is much better than most proposed solutions since in theory it could be used to record an entire session, warts n all.

Edit: Oh and you can use aureport to generate a list that can be more helpful.

# aureport --tty
12. 11/30/2011 15:50:54 12764042 501 ? 4294967295 bash "d",<^D>
13. 11/30/2011 15:52:30 12764112 501 ? 4294967295 bash "aureport --ty",<ret>
14. 11/30/2011 15:52:31 12764114 501 ? 4294967295 bash <up>,<left>,<left>,"t",<ret>